Uli Fouquet wrote:
> Ok. I'll put something into the zope.app.authentication branches for
> review.


> Two remaining questions: I would like to use `os.urandom` instead of
> `random.randint` to create the salt, because this is recommended in
> cryptographic contexts. There was, however, a problem with this module
> in former times: sometimes it stopped until enough entropy was
> available, which could make threads and processes hang. Is this still an
> issue?

Well, the Linux man page for "urandom" says that /dev/urandom never 
blocks, while /dev/random can block if the entropy pool runs out.  I 
assume os.urandom uses /dev/urandom.

> Last question: How should we handle lack of SHA-2 hashes in the Python
> standard lib of 2.4? Self-implementing sounds too error-prone to me
> while existing Python ports of the reference implementation in PyCryto
> etc. are implemented in C which would make `zope.app.authentication` a
> binary package. Something I would like to avoid. Or is support for
> Python 2.4 running out anyway?

Let's not implement the SHA-2 version yet.  SSHA, based on SHA-1, is 
sufficient for now.


Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to